With Keycloak, users can add authentication to applications and secure devices with minimum effort. The project provides user federation, strong authentication, user management, fine-grained authorization, and more.

Keycloak provides single-sign out, which means users only have to log out once to be logged out of all applications that use Keycloak.

By configuring the Identity Provider using the administration console, Keycloak can authenticate users through existing OpenID Connect or SAML 2.0 Identity Providers.

The administration console of Keycloak allows administrators to centrally manage all aspects of the Keycloak server, such as enabling and disabling different features, configuring identity brokering and user federation, creating and managing applications and services, defining detailed authorization policies, and managing users, including their permissions and sessions.

For people needing more than role-based authorization, Keycloak provides additional fine-grained authorization services that allow users to manage permissions for all their services from the Keycloak admin console.

Keycloak includes inherent support for linking to pre-existing LDAP or Active Directory servers. For those that have users in other stores, such as a relational database, they can create their own provider as well.